That lingering Heartbleed flaw recently discoveredVulnerability-related.DiscoverVulnerabilityin 200,000 devices is more insidious than that number indicates . According to a report postedVulnerability-related.DiscoverVulnerabilityby Shodan , the Heartbleed vulnerability first exposedVulnerability-related.DiscoverVulnerabilityin April 2014 was still foundVulnerability-related.DiscoverVulnerabilityin 199,594 internet-accessible devices during a scan it performed last weekend . But according to open-source security firm Black Duck , about 11 % of more than 200 applications it audited between Oct 2015 and March 2016 containedVulnerability-related.DiscoverVulnerabilitythe flaw , which enables a buffer overread that endangers data from clients and servers running affected versions of OpenSSL . The company ’ s vice president of security strategy Mike Pittenger says it ’ s likely most of those machines have been remediated , but it doesn ’ t address the countless other applications – commercial and proprietary - Black Duck didn ’ t audit . “ However , I would not extrapolate that to say 11 % of all commercial applications were vulnerable to Heartbleed at that time ” . That 11 % is a number from the company ’ s last published report . In a new report due out next month that hasn ’ t been wrapped up yet , that number is likely to dip into the single digits , but is still significant . The problem is that commercial software in general uses a great deal of open source code – 35 % on average - and authors of the code don ’ t necessarily have processes in place to track when vulnerabilities are foundVulnerability-related.DiscoverVulnerabilityin that code and to then patchVulnerability-related.PatchVulnerabilitythem , he says . He says Black Duck’s studyVulnerability-related.DiscoverVulnerabilityfindsVulnerability-related.DiscoverVulnerabilitythat two-thirds of these applications have open-source vulnerabilities of one kind or another and that they average 5 years old . In regard to Heartbleed in particular , he says the reports draw on anonymized data about its audits so they don’t revealVulnerability-related.DiscoverVulnerabilitythe specific applications in which the Heartbleed vulnerability was foundVulnerability-related.DiscoverVulnerability. Running vulnerable applications in a regulated environment could have consequences for the enterprises using them , he says , because the security threat they represent could violate HIPAA or PCI security and privacy requirements . The Shodan reportVulnerability-related.DiscoverVulnerabilityon the prevalence of Heartbleed showed that the individual entities hosting the largest number of Heartbleed-vulnerable devices were service providers . That may be because these machines were set up a while ago and are no longer in use but were never taken offline , Pittenger says .